Individuals should have a right to access their care records without charge. The Department of Health Information Strategy set a target that individuals should be able to gain electronic access to their own care records where they request it, starting with GP records by 2015 and social care records as soon as IT systems allow. The review recommended extending this right of access within the next decade to cover hospital records, community records and personal confidential data held by all organisations within the health and social care system. The review also highlighted the importance of putting in place a clear plan for implementation to ensure that this happens;

An audit trail of everyone who has accessed a patient’s personal confidential data should be made available in a suitable form to patients via their health and social care records;

For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual. The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care. Where appropriate, this should be done in consultation with the relevant Royal College. This process should be commissioned from the Professional Standards Authority;

Organisations should pay closer attention to the appropriate transfer of information when people move across institutional boundaries, such as leaving hospital;

Regulatory, professional and educational bodies should ensure that information governance, and especially best practice on appropriate sharing, is a core competency of undergraduate training; and information governance, appropriate sharing, sound record keeping and the importance of data quality are part of continuous professional development and are assessed as part of any professional revalidation process;

The Department of Health (DH) should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development. The report does not exclude the possibility of small organisations sharing Caldicott Guardians or information governance staff to develop expertise and ensure consistency; and

In order to encourage openness and transparency, every health and social care organisation should publish a description of what personal confidential data it discloses, to whom and for what purpose. This information should already exist within the Data Protection Act privacy notices and data sharing agreements that organisations have produced.

The report recommends the addition of an additional principle to the 1997 Caldicott Principles – ‘The duty to share information can be as important as the duty to protect patient confidentiality: Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies’.

The Health Secretary has responded to the Caldicott review, stressing the need to strengthen patient privacy on confidential data use, and to respect the relationship of trust between the patient and medical professional which will be key to enabling information and technology to have a transformational effect on healthcare. DH will make a full response to the review in the summer of 2013. Dame Fiona Caldicott will also be chairing an independent panel to oversee and scrutinise implementation of the review’s recommendations, and provide advice on information governance issues.

If DH agrees with the review’s recommendations, there may be amendments to some of the current IG requirements, e.g. checks on the competency of IG Leads and whether they become ‘Caldicott Guardians’, and the possibility of strengthening self-assessments.

The report states: ‘The Information Governance Toolkit is an online resource that allows NHS organisations and other bodies to assess themselves against the Department of Health’s information governance standards and policies. In practice, there is no independent audit of the self-assessments submitted and it is questionable how well they reflect actual information governance practice in organisations, particularly given the obligations to publish the results. Version 8 of the toolkit had required both supporting evidence of the self-assessment score to be submitted and for the scoring and evidence for some of the requirements to be internally audited. As a consequence, there was a marked decline in the results. Additionally, the Department of Health subsequently initiated a ‘deep dive’ assessment of the scoring of five of the requirements in a number of acute trusts, looking at the efficacy of the internal audit process. The quality of the audit was found to be variable and the consistency of scoring across organisations to be poor.

The Review Panel concludes that Information Governance Toolkit self-assessments could be strengthened, and their profile raised, by inclusion of declarations in the Statements of Internal Control accompanying the annual quality reports of NHS organisations or for non-NHS organisations, in the annual report or performance report, signed off by the organisation’s board or equivalent body’.

The F-Code or ODS code is the the unique code issued to your pharmacy which identifies you to NHS Prescription Services. You can find this on any pricing authority statement or your prescription submission document (FP34c).